Skip to content
TapPass

OWASP Top 10 for Agentic AI. TapPass Coverage

TapPass maps to all 10 risks in the OWASP Top 10 for Agentic Applications (2026).

OWASP RiskDescriptionTapPass StepsStatus
ASI01Prompt Injection & Manipulationdetect_injection (5-category multi-layer: structural, behavioral, obfuscation, payload, indirect), detect_unicode, inspect_images✅ Full
ASI02Excessive Agency & Permissionsdetect_escalation (4-stage multi-turn), tool_permissions, user_tool_scopes, require_approval, filter_tools✅ Full
ASI03Insecure Tool Usescan_tool_calls (command + path + content + forbidden zones), detect_code_exec (AST + reverse shell + SQL injection), tool_constraints✅ Full
ASI04Insufficient Output Validationscan_output (PII + secrets + infra + business), content_safety, constrain_output, dedup_output, detect_exfiltration✅ Full
ASI05Memory & Context Poisoningdetect_memory_poison (6 categories: file targeting, identity override, persistent injection, time bombs, MCP abuse, context poisoning)✅ Full
ASI06Multi-Agent Delegationuser_tool_scopes, capability tokens (ES256, per-agent tool + ops), tool_permissions per-agent✅ Full
ASI07Secret & Credential Leakagedetect_secrets, shell_bleed, pii_tokenize + pii_restore, forbidden zones (70+ protected paths)✅ Full
ASI08Inadequate Sandboxingnono kernel-level sandbox, trust tiers (observer/worker/standard/full), forbidden zones, dangerous command database✅ Full
ASI09Insufficient LoggingSHA-256 hash-chained audit trail, SIEM export (CEF/OCSF/JSON), tamper-evident logging, Prometheus metrics✅ Full
ASI10Misaligned Goal Executiondetect_insider_threat (7 categories: self-preservation, blackmail, goal conflict, deception, unauthorized sharing, phishing, sycophancy)✅ Full

Depth of Coverage

Section titled “Depth of Coverage”

ASI01: Prompt Injection & Manipulation

Section titled “ASI01: Prompt Injection & Manipulation”

TapPass’s detect_injection step uses a 5-category pattern database covering:

  • Structural markers (ChatML delimiters, role separators, XML/JSON injection)
  • Behavioral patterns (instruction override, persona switching, constraint removal)
  • Obfuscation (base64, Unicode tricks, ROT13, leetspeak)
  • Payload patterns (DAN, AIM, STAN jailbreaks, system prompt extraction)
  • Indirect injection (hidden instructions in tool output, markdown, URLs)

The 4-layer PII detection pipeline includes a normalizer that reverses 24 obfuscation techniques before scanning, making evasion significantly harder.

ASI02. Excessive Agency & Permissions

Section titled “ASI02. Excessive Agency & Permissions”

Multi-layered protection:

  1. detect_escalation: 4-stage multi-turn analysis (recon → data access → exfiltration → privilege escalation)
  2. tool_permissions: Per-agent allow/deny lists for tools
  3. user_tool_scopes: Per-user operation scoping
  4. require_approval: Human-in-the-loop gate for high-risk operations (EU AI Act Art. 14)
  5. filter_tools: Remove tools from LLM context based on classification

ASI05. Memory & Context Poisoning

Section titled “ASI05. Memory & Context Poisoning”

The detect_memory_poison step scans for 6 attack categories:

  1. Memory file targeting: MEMORY.md, SOUL.md, AGENTS.md, BOOTSTRAP.md writes
  2. Identity override: Changing agent personality, purpose, core values
  3. Persistent injection: Cross-session instructions (“always”, “forever”)
  4. Time bombs: Conditional triggers (“next time someone asks…”)
  5. MCP memory abuse: Storing malicious payloads via memory tools
  6. Context poisoning: Inserting false facts, contradicting system instructions

ASI08. Inadequate Sandboxing

Section titled “ASI08. Inadequate Sandboxing”

Defense-in-depth:

  1. nono kernel sandbox: Process-level isolation (file, network, exec)
  2. Trust tiers: Progressive permission model (observer → worker → standard → full)
  3. Forbidden zones: 70+ protected paths (credentials, cloud, browser, crypto, financial, system)
  4. Dangerous commands: 28+ blocked command patterns with per-tier enforcement
  5. OPA policy: Dynamic sandbox profile based on agent identity and classification

ASI10. Misaligned Goal Execution

Section titled “ASI10. Misaligned Goal Execution”

Based on Anthropic’s “Agentic Misalignment” research. The detect_insider_threat step scans for:

  1. Self-preservation: Resisting shutdown, self-backup, self-replication
  2. Information leverage: Blackmail patterns (reading secrets + threatening)
  3. Goal conflict: Choosing own goals over human directives
  4. Deception: Impersonating systems, fabricating policies, hiding actions
  5. Unauthorized sharing: Exfiltrating source code, credentials, bulk data
  6. Phishing vulnerability: Complying with authority impersonation
  7. Risk scoring: 0-100 scale with safe/monitor/alert/block levels

Regulation Mapping

Section titled “Regulation Mapping”

Each OWASP risk maps to EU regulations:

OWASPEU AI ActGDPRNIS2
ASI01Art. 9 (Risk Management), Art. 15 (Accuracy)Art. 32 (Security)Art. 21 (Risk Management)
ASI02Art. 14 (Human Oversight)Art. 25 (Data Protection by Design):
ASI03Art. 9 (Risk Management)Art. 32 (Security)Art. 21 (Risk Management)
ASI04Art. 15 (Accuracy)Art. 32 (Security):
ASI05Art. 15 (Accuracy), Art. 10 (Data Governance)Art. 5(1)(d) (Accuracy):
ASI06Art. 14 (Human Oversight)Art. 32 (Security)Art. 21 (Risk Management)
ASI07Art. 9 (Risk Management)Art. 32 (Security), Art. 33 (Breach Notification)Art. 23 (Incident Reporting)
ASI08Art. 9 (Risk Management)Art. 32 (Security)Art. 21 (Risk Management)
ASI09Art. 12 (Record-Keeping)Art. 30 (Records of Processing)Art. 23 (Incident Reporting)
ASI10Art. 14 (Human Oversight), Art. 9 (Risk Management)::